Nmap - James Ray's Digital Portfolio

# Nmap Cheatsheet ![[nmap site logo.png]] ## What is it? *[Nmap](https://nmap.org/) ("Network Mapper") is a [free and open source](https://nmap.org/npsl/) utility for network discovery and security auditing.* *** ## Usage: >[!warning] Nmap readily performs *Active Scans*, its use against IP's or URL's without authorization is questionably legal. *Get permission before scanning a target* ### Syntax Using Nmap is easy, simply call the `Nmap` command, specify a scan type, and a target IP address or URL: `nmap` [ _`<Scan Type>`_ ...] [ _`<Options>`_ ] { _`<target specification>`_ } Nmap can scan IPv4 addresses such as the IP address of `scanme.nmap.org`: ```shell nmap 45.33.32.156 ``` Scanning URL's requires no arguments: ```shell nmap scanme.nmap.org ``` Scanning IPv6 addresses does require the argument `-6` ```shell nmap -6 www.eurov6.org ``` ### Common Arguments - `-sV` Service detection - `-sC` [[Nmap#Script Scanning|Script scanning]], looks for vulnerabilities or extra info - `-O` Operating system detection - `-A` Performs OS Detection, Service Detection and Traceroute Scans. *Very noisy scan* - `-p` [[Nmap#Port Scanning|Specify port(s) to be scanned]] - `-oN` [[Nmap#Output Types|Output scan]] to default `.nmap` file ### Service Detection A very important tool, can shed light on available services running and their versions. This can help us find old services running with known exploits. ### Script Scanning Script scans provide us with vulnerabilities on our target. The basic `-sC` argument performs some simple vulnerability scans, as well as retrieve our **computer hostname**. We can search for more in-depth scans from the library of script scans in `/usr/share/nmap/scripts/` on Kali. Running them involves calling scripts as `--script={desired scan}` ```shell nmap --script=banner 45.33.32.156 ``` Or ```shell nmap --script smb-os-discovery.nse 45.33.32.156 ``` *** ### Port Scanning Port scanning allows us to specify the ports we are enumerating. By default, `Nmap` only scans the first 1000 ports on a system, in reality there are 65,535 ports. To specify a port, run `-p`: ```shell nmap 45.33.32.156 -p 80 ``` To scan a variety of ports: ```shell nmap 45.33.32.156 -p 80,443 ``` To scan a range of ports: ```shell nmap 45.33.32.156 -p 80-443 ``` To scan all ports we use `-p-`, in this case we also want to use `-T4` to speed up the scan: ```shell nmap 45.33.32.156 -p- -T4 ``` To disable port scanning use `-sn`: ```shell nmap 45.33.32.156 -sn ``` *** ### TCP vs UDP #### TCP `Nmap` runs a TCP scan on the top 1000 ports: To scan the top 10 most common ports, run `--top-ports=10`: ```shell nmap 45.33.32.156 --top-ports=10 ``` #### UDP Sometimes administrators forget to filter UDP ports on a system. In this case we're going to run `-F` to scan top 100 ports and `-sU` to perform a UDP scan: ```shell sudo nmap 10.129.2.28 -F -sU ``` *** ### Output Types We can output our scans to a variety of formats: - Normal output (`-oN`) with the `.nmap` file extension - Grep-able output (`-oG`) with the `.gnmap` file extension - `XML` output (`-oX`) with the `.xml` file extension #### Style Sheets It's easy to convert an `XML` file from `Nmap` to an `HTML` file with fancy highlighting: ```shell xsltproc target.xml -o target.html ``` ![[nmap-report.webp]] ### Firewall and IDS/IPS Evasion Evading firewalls is an essential skill that takes advantage of both `nmap` and `nc` at times. ```shell sudo nc -nv -p {source IP} {target IP} {target port} ``` *** *** ## Workflow: ### Surface Scan Using `nmap` with no arguments performs a basic scan on the first `1000` ports. The following is against a target from HTB Academy: ```shell ┌──(parallels㉿kali-gnu-linux-2023)-[~] └─$ nmap 10.129.92.151 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-23 10:52 EDT Nmap scan report for 10.129.92.151 Host is up (0.052s latency). Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2323/tcp open 3d-nfsd 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 0.89 seconds ``` Before we select more in-depth scans, we need to analyze this surface scan so we know which rabbit hole to dive down. We see a variety of ports open: - `21` is FTP - `22` is SSH - `80` indicates a possible web server. - `139` is NetBIOS, or Network Basic Input Output System. If port `139` is available to a hacker, they can gain: 1. A list of local NetBIOS names 2. Computer name 3. A list of names resolved by WINS 4. IP addresses 5. Contents of the session table with the destination IP addresses - `445` is for SMB file sharing - `2323` is an alternate Telnet port, a highly vulnerable predecessor to SSH - `8080` is an alternate for webserver port `80`, usually for local web hosting only. Likely vulnerable because its not designed to be public ### In depth scan Now that we've identified some protocols on the system in question, we can investigate further using a few arguments: - `sV` performs a version scan on each service it finds. Versions are important so we know if a service is old and lacks security patches - `sC` performs script scans native in Nmap. This illuminates more services and provides more information. `sC` can be directed at specific scripts designed to illuminate certain vulnerabilities as needed - `-p-` scans all 65,535 possible ports on a machine, rather than just the first 1000 - `oN` prints the results to a file ```shell ┌──(parallels㉿kali-gnu-linux-2023)-[~] └─$ nmap -sV -sC -p- 10.129.92.151 -oN nmap-scan Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-23 11:03 EDT Nmap scan report for 10.129.92.151 Host is up (0.067s latency). Not shown: 65528 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.10.14.203 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 ftp ftp 4096 Feb 25 2021 pub 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 a0:01:d7:79:e9:d2:09:2a:b8:d9:b4:9a:6c:00:0c:1c (RSA) | 256 2b:99:b2:1f:ec:1a:5a:c6:b7:be:b5:50:d1:0e:a9:df (ECDSA) |_ 256 e4:f8:17:8d:d4:71:d1:4e:d4:0e:bd:f0:29:4f:6d:14 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: PHP 7.4.3 - phpinfo() |_http-server-header: Apache/2.4.41 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 2323/tcp open telnet Linux telnetd 8080/tcp open http Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2024-08-23T15:04:15 |_ start_date: N/A |_nbstat: NetBIOS name: GS-SVCSCAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: -1s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 75.24 seconds ```